The risk & control self-assessment (RCSA) module coupled with risk workshops contains all the functionality required for assessing potential operational events.


The module includes five sub-modules: Workshops, Potential events, Controls, Insurance schemes and Causes. Besides specifying potential events, documenting and assessing the effectiveness of mitigators such as controls and insurance schemes is an integral part of the RCSA process.

Assessing potential operational events is not primarily driven by data, which is the case in market risk where data is in abundance, but to a high degree it depends on expert judgment, “soft” data and external loss experience.

To extract valuable input on operational weaknesses from the business, risk workshops should be run across the organization in a cyclical fashion. Risk workshops are facilitated and prepared by Risk Management in alignment with Management focus and priorities.

Workshops are open, honest, effective and stimulating conversations, where the business contributes actively in assessing potential events, mapping and estimating the effectiveness of the control environment and likelihoods of events materializing. Workshops are not about pointing fingers, passive participation, tabooed issues, silo and habit thinking.

The figure below shows how causes, controls, insurance schemes, events and impacts are important components in understanding potential operational events. Notice how controls can be both preventive (reducing the likelihood of events occurring) and corrective (reducing impact if the events materialize).


SIGMAOpRisk takes into account the consequences from both the preventive and corrective mitigation effectiveness when assessing the total portfolio risk and capital requirements from the operational risks. This allows financial institutions and companies to understand their total net operational risks and help price (in terms of reduced risk and capital) the value of controls/insurance programs.

The Workshop module is a single webform and it serves to support the workshop process and help pre-fill potential events as the workshop progresses and several events are detected and discussed.

The potential events form holds all information related to the potential events in a single form. The form holds for each potential event specific information about the potential event, risk owners, impacts and likelihoods, related controls and insurance schemes including their effectiveness and related causes, procedures and contingency plans. It also includes Basel categorization on cause and loss categories.

In the control module, all controls that exist and help mitigate operational events are defined. Various relevant information is specified. The form you see below is used to define all controls in the system. As you see, it covers quite general information. Besides basic description, it includes who the control owner is and who performs the control and how frequent the control is (or should be) performed – in this case daily. It also states the control type – here it is preventive, i.e. it reduces the likelihood of the potential event occurring and whether the control is manual or automatic.


Notice, the assessed effectiveness of controls are specified when assigned them to potential events and not on the definition of the control itself, since one control may apply to different potential events and may have different mitigative powers for each.

In the Insurance scheme module, all insurance schemes that exist and help mitigate operational events are defined. Various relevant information is specified, like objective, insurance owner, minimum threshold, maximum coverage, expiry and insurance company.

The effectiveness of insurance schemes is specified when assigned to potential events, not on the definition of the insurance scheme as it may have different levels of effectiveness for each potential event it applies to.

The risk & controls self-assessment module also includes a causes form, that specifies the different potential root causes for operational failures in the company. It links the defined causes to Basel cause categories.